generated from coulomb/repo-seed
1.1 KiB
1.1 KiB
Pattern: Quarantined Build Runner
Status: seed Readiness target: RL3 production Primary owners: Railiance platform, product repos Genesis family: Supply chain
Problem
Build jobs often process untrusted code while also having access to secrets, registries, signing keys, or deployment credentials.
Context
Use this pattern for CI/CD runners, release builders, image builders, dependency test jobs, and signing workflows.
Forces
- Builds need network and artifact access.
- Pull requests may contain untrusted code.
- Signing and deployment credentials are high impact.
- Runners need cleanup and isolation between jobs.
Solution
Run build jobs in isolated, least-privilege environments with limited secrets, scoped network access, clean workspaces, and separate trusted release/signing stages.
Verification
- Untrusted jobs cannot access release or deployment secrets.
- Runner workspaces are isolated and cleaned.
- Network and registry access are scoped.
- Signing happens only in trusted release contexts.
Related Patterns
- SLSA Build Provenance.
- Signed Container Images.
- Dependency Update Bot.
- Protected Main Branch.